[Idea] False Biased Extraction for SQLi using Prime numbers

I'm getting into this new style of blogging where I blog my unadulterated raw thoughts. Open to the ridicule of the entire world. Its liberating :) Its also very interesting to see how I make mistakes and what I learn from them, instead of just the monotonous, lifeless style of blogging what you got right or won at. So anyway here's todays thought...

A couple years ago, some dude from Immunity talked about how in "True"Blind SQLi it might be effective to favor responses that produce no-wait responses (here's the link: ). That is to say, if you are exploiting a Blind SQL injection vulnerability in which only time based responses are observable, it makes sense that responses that don't trigger sleeps or waits would get you information faster. Brilliant observation! This is quite clever because it allows you to throw the traditional computer science idea of efficiency out of the window (or rather the conventional idea c…

Abusing WebVTT and CORS for fun and profit

WebVTT is a way html5 developers can display and cue text as subtitles for video formats. The grammar for WebVTT is pretty simple and as we know browsers are always willing to forgive any "weird" looking grammar in an effort to provide best effort experience for users. This post looks at ways to take advantage of WebVTT in some attack contexts in order to extract information or perform general DOM abuse.

Video tags can make use of subtitle files, as follows:

WebVTT (subtitle) files need to follow this format:

The file merely describes cues, allows you to number them and associate a duration and display time for them. Display timestamps specify hours (hh), minutes (mm) , seconds (s) and milliseconds (ttt). According to my basically inspection of the grammar, most browser require you to respect the placeholders (significant figures) if you specify the magnitude. For instance, if you want to indicate hours you need to use both place holders, same goes for others. …

Stealing Secrets with CSS : Cross Origin CSS Attacks

In this post I'm going to discuss a web attack that was designated CVE-2015-5826 and CVE-2015-1287 which abuses the way CSS parsing works in some browsers and expands the way we think about HTML injection attacks.

The Vaudenay Attack : A practical example

Hi guys in the previous post I discussed the theoretical basis for the vaudenay (or padding oracle attack) , in this one I'm going to share a little script that will help you play around with padding oracles and also manually perform the attack. But first a quick recap!

Padding Oracle Attacks : The other padding that killed your secret key

Hi folks! In this post I'd like to talk about something that's pretty old but still crops up every now and then (example). I know for most folks this is nothing new but I'd still like to have a post about this attack in my archive and also deliver a good explanation of the attack in a way that makes it easier for more people to understand (I know for new comers this attack can be a bit of a mind bending exercise :P). Also if you want to be a total infosec / crypto hipster you can refuse to call it padding oracle attacks and call it by its eponym "the Vaudenay attack" and pay homage to the inventor Serge Vaudenay :)

Update: The next post is a more practical explanation of this attack :)

Automated DEX Decompilation using Androguard part II: Dex2Java

The next post in the Androguard tutorial series (By the way here's part one). Here we are going to see how to construct a novel script that de-compiles an APK into full Java code using Androguard and python.

Working from the previous post about de-compiling a dex file into Dalvik byte code (which is actually little more than purely interpreting the contents of the Dex file -__-) we're actually going to use Androguard here to take the analysis one step further, actually producing readable Java Code! With one or two caveats (like import statements :P).

Automated DEX Decompilation using Androguard

Hey guys, its been a while since my last post and my blog is beginning to gather dust. So I though I would drop a couple posts about some new stuff I've been trying and learning. This post is about Androguard and how to write a simple python script that dumps decompiled dalvik bytecode from an Android APK.